Yeah, I think it would require a custom client/customization of globus-url-copy, but the info should be there on the client side (has to be for the ssl handshake).
What x.509 information do we actually need? This is for an INCA test--are we looking to warn sites that their certs might expire soon? Eric ----- Original Message ----- > Looks like there is no way to see other cert attributes such as > expiration daten right? > > Since that sort of information has to be available to the ssl client, > could we put in a feature request for globus-url-copy to have an > option to display all the ssl x.509 information it can? > > JP > Sent via BlackBerry from T-Mobile > > -----Original Message----- > From: Eric Blau <[email protected]> > Date: Mon, 5 Dec 2011 15:01:19 > To: JP Navarro<[email protected]> > Cc: Lukasz Lacinski<[email protected]>; Stu > Martin<[email protected]>; <[email protected]>; Mike > Link<[email protected]> > Subject: Re: Is there a way to retrieve a GridFTP's x.509 certificate > information > > I just chatted with Mike Link, and, while he didn't have an immediate > full solution, he did > mention a couple of ways to get some information. > > If a host does not have certificates in place for its gridftp server, > it will give an error if you > connect (with telnet or netcat) and issue "auth gssapi". If it does > have a certificate, it will give a "334" response: > > [eblau@forge ~]$ telnet grid-forge.ncsa.xsede.org 2812 Trying > 141.142.164.101... > Connected to forge.ncsa.illinois.edu (141.142.164.101). > Escape character is '^]'. > 220 GridFTP Server 2.8 (gcc64, 1217607445-63) [Globus Toolkit 5.0.4] - > Running in Non-Striped Mode. ready. > auth gssapi > 334 Using authentication type; ADAT must follow. > > I think that this method would issue an error if the certificate was > invalid (expired). > > > > Also, you can get globus-url-copy to divulge the subject name of the > gridftp server certificate by specifying a subject with -s that you > know is incorrect, and watching the error message: > > [eblau@forge ~]$ globus-url-copy -v -s > "/DC=org/DC=doegrids/OU=People/CN=Eric Blau 216112/CN=1981729001" > gsiftp://grid-forge.ncsa.xsede.org:2812/etc/group ./foobar > Source: gsiftp://grid-forge.ncsa.xsede.org:2812/etc/ > Dest: file:///uf/ncsa/eblau/./ > group -> foobar > > error: globus_ftp_control: gss_init_sec_context failed > GSS Major Status: Unexpected Gatekeeper or Service Name > globus_gsi_gssapi: Authorization denied: The name of the remote entity > (/C=US/O=National Center for Supercomputing > Applications/OU=Services/CN=forge.ncsa.illinois.edu), and the expected > name for the remote entity (/DC=org/DC=doegrids/OU=People/CN=Eric Blau > 216112/CN=1981729001) do not match > > > Not sure if this solves the problem, but thought I'd pass the > information along. > > Eric > > > ----- Original Message ----- > > XSEDE would like its monitoring system (Inca) to access information > > about a GridFTP server's X.509 certificate. > > > > Is there a way to interact with a GridFTP server and retrieve server > > certificate information? > > > > Thanks, > > > > JP > > > > Begin forwarded message: > > > > > From: "Smallen, Shava" <[email protected]> > > > Subject: FW: Inca XSEDE Notification: > > > gridftp-nonstriped-auth-dms-4.2.0 on tacc-ranger FAIL > > > Date: December 5, 2011 11:55:38 AM CST > > > To: David Carver <[email protected]> > > > Cc: JP Navarro <[email protected]> > > > > > > Hey David, > > > > > > I'm not sure if there is a way to read the gridftp credentials > > > remotely as > > > you can with GRAM so we can warn ahead of time. We have some tests > > > that > > > execute: > > > > > > openssl s_client -connect host:port > > > > > > But I get a protocol error when I try to do that against gridftp > > > servers. > > > JP, do you know? > > > > > > Thanks, > > > Shava > > > > > > On 12/5/11 9:48 AM, "Inca Inca" <[email protected]> wrote: > > > > > >> The following Inca test has FAILED: > > >> > > >> RAN AT: 2011-12-05T09:48:07.000-0800 > > >> > > >> RAN ON: login3.ranger.tacc.utexas.edu > > >> > > >> TEST: data.transfer.gridftp.unit.auth-dns > > >> > > >> INPUT PARAMETERS: -dest=gridftp.ranger.tacc.teragrid.org:2811 > > >> -help=no > > >> -log=0 -timeout=60 -verbose=1 -version=no > > >> > > >> ERROR MESSAGE: globus-url-copy -len 1280 file:///dev/zero > > >> gsiftp://129.114.50.166:2811//dev/null failed: > > >> error: globus_ftp_client: the server responded with an error > > >> 530 530-globus_xio: Server side credential failure > > >> 530-globus_gsi_gssapi: Error with GSI credential > > >> 530-globus_gsi_gssapi: Error with gss credential handle > > >> 530-globus_credential: Error with credential: The host > > >> credential: > > >> /etc/grid-security/hostcert.pem > > >> 530- with subject: > > >> /C=US/O=UTAustin/OU=TACC/CN=gridftp2.ranger.tacc.utexas.edu > > >> 530- has expired xx minutes ago. > > >> 530- > > >> 530 End. > > >> > > >> > > >> > > >> gridftp.ranger.tacc.teragrid.org mapped to the following ips: > > >> 129.114.50.166 > > >> > > >> > > >> > > >> details at > > >> http://inca.xsede.org/inca/jsp/instance.jsp?xsl=instance.xsl&nickname=grid > > >> ftp-nonstriped-auth-dms-4.2.0&resource=tacc-ranger&collected=2011-12-05T09 > > >> :48:07.000-08:00 > > >> > > >
